Recall that the proof of Theorem3.4was heavily based on Lemma3.5. Also recall that Lemma3.5
was proved in a general form that handles not only standard commitments, but also somewhere- binding commitments. Therefore we get the following stronger separation.
Theorem 7.1. Suppose there exists a secure implementation of some primitive P from partially- fixed random oracles (see Definition3.3) where P has security threshold zero. Then there exists no black-box construction of non-interactive somewhere-binding commitments with a message spaceW
of polynomial size|W|= poly(n) from P.
It is easy to to see that partially-fixed random oracles, not only imply (super-polynomially) secure one-way functions, but also exponentially (i.e., 2Ω(n))-hard one-way functions. This means that Theorem7.1separates non-interactive somewhere-binding commitments forO(logn)-bit mes- sage from 2Ω(n)-hard one-way functions. In the following we show that this result is almost opti- mal by presenting a black-box construction of non-interactive somewhere-binding commitments for ω(logn)2-bit messages based on the existence of 2Ω(n)-hard one-way functions, and discuss how it could potentially be improved to the optimal case ofω(logn)-bit messages.
Theorem 7.2. Suppose there exists a2Ω(n)-hard one-way function, then there exists a non-interactive somewhere-binding commitment scheme for ω(logn)2-bit messages.
Proof. Haitner et al. [HHR06] showed (through a black-box construction) that if there exists a 2c·m-hard one-way function f: {0,1}m 7→ {0,1}m, then there exists a pseudorandom generator
g:{0,1}k 7→ {0,1}k+1 for k= O(m2) which is secure against 2c0·m-time adversaries where c0 is a constant depending on the constant c.
By settingm=ω(logn) we get a pseudorandom generatorg:{0,1}k7→ {0,1}k+1of seed length k = O(m2) = ω(logn)2 which is secure against nω(1)-time distinguishers. Our non-interactive somewhere-binding commitment scheme is as follows: Given the message w ∈ [2k+1], the sender choosesr←$ [2k] at random and sends the commitmentC(w) =w+f(r). To decommit, the sender simply reveals (w, r). The hiding of the scheme is due to the pseudorandomness of g(Uk). The
somewhere-binding binding property also holds because there are at most 2k preimages to any image of g, and so the sender is not able to decommit any commitment value to more than half of the possible messages.
It is clear from the proof of Theorem7.2that any improvement on the seed length of pseudoran- dom generators from one-way functions would improve the message length of our somewhere-binding commitment scheme. In fact, any “security preserving” construction of pseudorandom generators from one-way functions and with a linear seed length (which also preserves the exponential hard- ness) would imply a non-interactive somewhere-binding commitment with an optimalω(logn)-bit message length. Whether such security preserving pseudorandom generators exist or not is in fact a major open question.
Acknowledgment. We thank the anonymous referees of Crypto 2012 for their valuable com- ments. In particular, we thank Marc Fisclin for a through reading of the paper and valuable comments. We thank Noga Alon for pointing out the anti-concentration bound of Lemma A.2.2 in [AS08] to us (used in Lemma5.14). Finally we thank Yuval Ishai for encouraging us to work on the question of separating the power of black-box versus non-back-box cryptographic constructions.
A
Omitted Proofs
Lemma 3.2(Restated). LetP andQbe two cryptographic primitives andP has security threshold zero. For a randomized oracle O, suppose one can break the black-box security of any implemen- tation QO of Q with non-negligible probability and asking poly(n) oracle queries to O. Suppose also that there exists a black-box secure implementationP of P fromO. Then there is no black-box construction of Q from P.
Proof. Suppose on the contrary that (Q, S) is a black-box construction of Q from P. By feeding the randomized implementation PO of P to the implementation Q of Q we get QPO = (QP)O as a randomized implementation of Q using O. Since we assumed that any such implementation is insecure, therefore there is some (computationally unbounded) adversaryAwho breaks the security of (QP)O with non-negligible advantaging ε(n) >1/poly(n) (above τQ) for security parameter n by asking onlym= poly(n) number of oracle queries toO.
Call an oracle O←$ O a good oracle if A breaks (QP)O (as an implementation of Q for) with advantage at least ε(n)/2 . An averaging argument shows that a random O←$ O is good with probability at least ε(n)/2. For every good oracle O ←$ O, since it holds that A breaks (QP)O with advantage at leastε(n)/2, therefore the security reductionSPO,AO would breakPOover some security parametern0 =nΘ(1) with probability at least δ= poly(ε(n)/n0)>1/poly(n0).
Note that we can combine the algorithms S, P, andA to get an algorithmSP,A who queries at most poly(n)·m≤poly(n0) oracle queries and breaks the security ofPO with probabilityδ(n0)> 1/poly(n0) wheneverO is a good oracle. Thus if we chooseO←$ Othe attackerSP,A still succeeds in breaking PO with a non-negligible probability at least δ0(n0) = (ε(n)/2)·δ(n0) > 1/poly(n0). Since we assumed P to have security threshold zero, the success probabilityδ0(n) is already non- negligibly above the security threshold τP = 0. Therefore SP,A breaks the black-box security of PO (over the security parameter n0) which is a contradiction.
Lemma A.1. FCRHs can be black-box securely realized from all partially-fixed random oracles.
We emphasize that having an index for the hash function (and thus making it a family of hash functions) is necessary for deriving this primitive from partially-fixed random oracles. That is because for anyk-query construction of hash functionshf:{0,1}i 7→ {0,1}i/2 from the oracle f, one can always fix 2k points of f to guarantee a collision which could be known to the adversary attacking the collision resistance of hf since the adversary knows the distribution of the function f used (and the fixed part is part of the description of the distribution).
Proof. Let f: {0,1}n 7→ {0,1}n be a partially-fixed random oracle which is randomly chosen on
any point out of a fixed setSwhichSn=S ∩{0,1}n≤2o(n). Consider the following construction of
FCRHh|h:{0,1}n/2× {0,1}n/27→ {0,1}n/4 from f: For everyd, x∈ {0,1}n/2,h(d, x) is equal to the firstn/4 bits off(d, x). We prove that the construction above is black-box secure according to Definition3.1. Calldabad index if there exist somexsuch that (d, x)∈ S, and call it agood index otherwise. Since |Sn|= 2o(n), a random index d
$
← {0,1}n/2 is a bad index only with probability at most 2o(n)/2n/2.
Now suppose a computationally unbounded adversary A is given some good index d and tries to find collision in the function hd(·). Since d is a good index, hd(·) will be a random function
from {0,1}n/2 to {0,1}n/4. It is easy to see that a q-query attacker can find a collision in a random function to a domain of size N only with probability O(q2/N). Therefore, for a good indexd, a poly(n)-query adversaryAis able to find a collision only with probability poly(n)/2n/4. Therefore by a union bound the chance of A to find a collision (over the randomness of h) is at most 2o(n)/2n/2+ poly(n)/2n/4 <negl(n).
References
[ACP98] Alexander E. Andreev, Andrea E. F. Clementi, and Jose D. P.Rolim, A new general derandomization method, JACM: Journal of the ACM45 (1998). 17
[ACPT99] Alexander E. Andreev, Andrea E. F. Clementi, Jose D. P.Rolim, and Luca Trevisan,
Weak random sources, hitting sets, and BPP simulations, SICOMP: SIAM Journal on Computing28 (1999). 17
[AK01] Arvind and Kobler,On pseudorandomness and resource-bounded measure, TCS: The- oretical Computer Science 255(2001). 17
[AKS02] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, PRIMES is in P, Report, De- partment of Computer Science and Engineering, Indian Institute of Technology Kan- pur, Kanpur-208016, India, August 2002. 3
[AS08] Noga Alon and Joel H. Spencer,The probabilistic method, third ed., Wiley, New York, 2008. 26,38
[Bar01] Boaz Barak, How to go beyond the black-box simulation barrier., Proceedings of the 42nd Annual Symposium on Foundations of Computer Science (FOCS), 2001, pp. 106–115. 4
[BCC88] Gilles Brassard, David Chaum, and Claude Cr´epeau, Minimum disclosure proofs of knowledge, Journal of Computer and System Sciences 37(1988), no. 2, 156–189. 1
[BCKT94] Bshouty, Cleve, Kannan, and Tamon,Oracles and queries that are sufficient for exact learning, COLT: Proceedings of the Workshop on Computational Learning Theory, Morgan Kaufmann Publishers, 1994. 20
[BCY91] Gilles Brassard, Claude Cr´epeau, and Moti Yung, Constant-round perfect zero- knowledge computationally convincing protocols, Theoretical Computer Science 84 (1991), no. 1, 23–52. 1
[BFL90] L´aszl´o Babai, Lance Fortnow, and Carsten Lund,Non-deterministic exponential time has two-prover interactive protocols, FOCS, 1990, pp. 16–25. 5
[BI87] Blum and Impagliazzo,Generic oracles and oracle classes, FOCS: IEEE Symposium on Foundations of Computer Science (FOCS), 1987. 1
[BK95] Manuel Blum and Sampath Kannan, Designing programs that check their work, J. ACM42(1995), no. 1, 269–291. 4,5,28,30
[Blu81] Manuel Blum, Coin flipping by telephone, CRYPTO, 1981, pp. 11–15. 2,9
[Blu87] Manuel Blum, How to prove a theorem so no one else can claim it, Proceedings of the International Congress of Mathematicians, 1987, pp. 1444–1451. 4,33,36
[BM82] Manuel Blum and Silvio Micali,How to generate cryptographically strong sequences of pseudo random bits, 1982, pp. 112–117. 1
[BM07] Boaz Barak and Mohammad Mahmoody,Lower bounds on signatures from symmetric primitives, FOCS: IEEE Symposium on Foundations of Computer Science (FOCS), 2007. 1,9,11,13,29
[BMO90] Mihir Bellare, Silvio Micali, and Rafail Ostrovsky,Perfect zero-knowledge in constant rounds, Proceedings of the 22nd Annual ACM Symposium on Theory of Computing (STOC), ACM Press, 1990, pp. 482–493. 30
[BOV03] Boaz Barak, Shien Jin Ong, and Salil Vadhan, Derandomization in cryptography., Advances in Cryptology – CRYPTO 2003, Lecture Notes in Computer Science, vol. 2729, Springer, 2003, pp. 299–315. 3,4,17,19,36
[BPR+08] Boneh, Papakonstantinou, Rackoff, Vahlis, and Waters, On the impossibility of bas- ing identity based encryption on trapdoor permutations, FOCS: IEEE Symposium on Foundations of Computer Science (FOCS), 2008. 1
[BR93] M. Bellare and P. Rogaway,Random oracles are practical: A paradigm for designing efficient protocols, ACM Conference on Computer and Communications Security, November 1993, pp. 62–73. 6
[CDSMW08] Seung Geol Choi, Dana Dachman-Soled, Tal Malkin, and Hoeteck Wee, Black-box construction of a non-malleable encryption scheme from any semantically secure one, TCC (Ran Canetti, ed.), Lecture Notes in Computer Science, vol. 4948, Springer, 2008, pp. 427–444. 2
[CDSMW09] , Simple, black-box constructions of adaptively secure protocols, TCC (Omer Reingold, ed.), Lecture Notes in Computer Science, vol. 5444, Springer, 2009, pp. 387– 402. 2
[DPP98] Ivan B. Damg˚ard, Torben P. Pedersen, and Birgit Pfitzmann,Statistical secrecy and multibit commitments, IEEE Transactions on Information Theory 44 (1998), no. 3, 1143–1151. 1
[DSLMM11] Dana Dachman-Soled, Yehuda Lindell, Mohammad Mahmoody, and Tal Malkin,On black-box complexity of optimally-fair coin-tossing, Theory of Cryptography Confer- ence - TCC 2011, 2011. 1,9
[FRS88] Lance Fortnow, John Rompel, and Michael Sipser, On the power of multi-prover interactive protocols, Theoretical Computer Science, 1988, pp. 156–161. 5
[GGKT05] Rosario Gennaro, Yael Gertner, Jonathan Katz, and Luca Trevisan, Bounds on the efficiency of generic cryptographic constructions, SIAM Journal on Computing 35 (2005), no. 1, 217–246. 1
[GK92] Oded Goldreich and Hugo Krawczyk, Sparse pseudorandom distributions, Random Structures & Algorithms3 (1992), no. 2, 163–174. 4
[GK96] Oded Goldreich and Ariel Kahan, How to construct constant-round zero-knowledge proof systems for NP, Journal of Cryptology9 (1996), no. 3, 167–190. 1
[GKL93] Oded Goldreich, Hugo Krawczyk, and Michael Luby, On the existence of pseudoran- dom generators, SIAM Journal on Computing 22(1993), no. 6, 1163–1175. 1
[GKM+00] Yael Gertner, Sampath Kannan, Tal Malkin, Omer Reingold, and Mahesh Viswanathan, The relationship between public key encryption and oblivious trans- fer, Proceedings of the 41st Annual IEEE Symposium on Foundations of Computer Science, 2000. 1
[GL89] Oded Goldreich and Leonid A. Levin,A hard-core predicate for all one-way functions, Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC), 1989, pp. 25–32. 1,2
[GMR88] Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks, SIAM Journal on Computing 17 (1988), no. 2, 281–308, Preliminary version in FOCS’84. 1
[GMR89] Shafi Goldwasser, Silvio Micali, and Charles Rackoff, The knowledge complexity of interactive proof systems, no. 1, 186–208, Preliminary version inSTOC’85. 2,29
[GMR01] Yael Gertner, Tal Malkin, and Omer Reingold,On the impossibility of basing trapdoor functions on trapdoor predicates, FOCS, 2001, pp. 126–135. 1,10
[GMW87] Oded Goldreich, Silvio Micali, and Avi Wigderson,How to play any mental game or a completeness theorem for protocols with honest majority, 1987, pp. 218–229. 2,4,
[GMW91] ,Proofs that yield nothing but their validity or all languages in NP have zero- knowledge proof systems, Journal of the ACM38(1991), no. 1, 691–729, Preliminary version in FOCS’86. 2,36
[Goy11] Vipul Goyal,Constant round non-malleable protocols using one way functions, 2011.
2
[GT00] Rosario Gennaro and Luca Trevisan,Lower bounds on the efficiency of generic cryp- tographic constructions, Proceedings of the 41st Annual Symposium on Foundations of Computer Science, 2000, pp. 305–313. 21
[GTS07] Dan Gutfreund and Amnon Ta-Shma,Worst-case to average-case reductions revisited, APPROX-RANDOM (Moses Charikar, Klaus Jansen, Omer Reingold, and Jos´e D. P. Rolim, eds.), Lecture Notes in Computer Science, vol. 4627, Springer, 2007, pp. 569– 583. 20
[GV08] Dan Gutfreund and Salil P. Vadhan, Limitations of hardness vs. randomness under uniform reductions, APPROX-RANDOM, 2008, pp. 469–482. 20
[GW99] Oded Goldreich and Avi Wigderson,Improved derandomization of bpp using a hitting set generator, Proceedings of the RANDOM 99 Conference, 1999, pp. 131–137. 17
[GWXY10] S. Dov Gordon, Hoeteck Wee, David Xiao, and Arkady Yerukhimovich,On the round complexity of zero-knowledge proofs based on one-way permutations, LATINCRYPT (Michel Abdalla and Paulo S. L. M. Barreto, eds.), Lecture Notes in Computer Sci- ence, vol. 6212, Springer, 2010, pp. 189–204. 28,29
[Hai08] Iftach Haitner, Semi-honest to malicious oblivious transfer - the black-box way, The- ory of Cryptography, Fourth Theory of Cryptography Conference, TCC 2008, 2008, pp. 394–409. 2
[HHK+05] Iftach Haitner, Omer Horvitz, Jonathan Katz, Chiu-Yuen Koo, Ruggero Morselli, and Ronen Shaltiel,Reducing complexity assumptions for statistically-hiding commitment, Advances in Cryptology – EUROCRYPT 2005, 2005, See also preliminary draft of full version, www.wisdom.weizmann.ac.il/~iftachh/papers/SCfromRegularOWF.pdf, pp. 58–77. 1
[HHR06] Iftach Haitner, Danny Harnik, and Omer Reingold,Efficient pseudorandom genera- tors from exponentially hard one-way functions, Automata, Languages and Program- ming, 24th International Colloquium, ICALP, 2006. 37
[HHRS07] Iftach Haitner, Jonathan J. Hoch, Omer Reingold, and Gil Segev,Finding collisions in interactive protocols – A tight lower bound on the round complexity of statistically- hiding commitments, Proceedings of the 47th Annual Symposium on Foundations of Computer Science (FOCS), IEEE Computer Society, 2007. 1
[HHry] Juris Hartmanis and Lane A. Hemachandra,One-way functions, robustness, and the non-isomorphism of N P-complete sets, Tech. Report 86-796, Department of Com- puter Science, Cornell University, 1987, January. 1
[HIK+11] Iftach Haitner, Yuval Ishai, Eyal Kushilevitz, Yehuda Lindell, and Erez Petrank,
Black-box constructions of protocols for secure computation, SIAM J. Comput 40 (2011), no. 2, 225–266. 2
[HILL99] Johan H˚astad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby, A pseu- dorandom generator from any one-way function, SIAM Journal on Computing 28 (1999), no. 4, 1364–1396, Preliminary versions inSTOC’89 and STOC’90. 1,2,19
[HK05] Omer Horvitz and Jonathan Katz, Bounds on the efficiency of ”black-box” commit- ment schemes, ICALP ’05, 2005, pp. 128–139. 29
[HMX10] Iftach Haitner, Mohammad Mahmoody, and David Xiao, A new sampling protocol and applications to basing cryptographic primitives on the hardness of NP, IEEE Conference on Computational Complexity, IEEE Computer Society, 2010, pp. 76–87.
28,29
[HNO+07] Iftach Haitner, Minh-Huyen Nguyen, Shien Jin Ong, Omer Reingold, and Salil Vad- han,Statistically-hiding commitments and statistical zero-knowledge arguments from any one-way function, SIAM Journal on Computing, November 2007. 1
[HO11] Iftach Haitner and Eran Omri,Coin flipping with constant bias implies one-way func- tions. 1
[HR07] Iftach Haitner and Omer Reingold,Statistically-hiding commitment from any one-way function, Proceedings of the 39th Annual ACM Symposium on Theory of Computing (STOC), ACM Press, 2007. 1
[HRVW09] Iftach Haitner, Omer Reingold, Salil P. Vadhan, and Hoeteck Wee, Inaccessible en- tropy, 2009. 1
[IL89] Russell Impagliazzo and Michael Luby,One-way functions are essential for complexity based cryptography, Proceedings of the 30th Annual Symposium on Foundations of Computer Science (FOCS), 1989, pp. 230–235. 1,2
[IOS97] Itoh, Ohta, and Shizuya,A language-dependent cryptographic primitive, JCRYPTOL: Journal of Cryptology 10(1997). 30
[IR89] Russell Impagliazzo and Steven Rudich,Limits on the provable consequences of one- way permutations, Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC), ACM Press, 1989, pp. 44–61. 1,6,21,23
[KMS07] Bruce Kapron, Lior Malka, and Venkatesh Srinivasan, A characterization of non- interactive instance-dependent commitment-schemes (NIC), Automata, Languages and Programming, 34th International Colloquium, ICALP 2007, Lecture Notes in Computer Science, Springer, 2007. 29,33
[KSS00] Jeff Kahn, Michael Saks, and Cliff Smyth, A dual version of Reimer’s inequality and a proof of Rudich’s conjecture, 15th Annual IEEE Conference on Computational Complexity, 2000, pp. 98–103. 1
[KST99] Jeong Han Kim, Daniel R. Simon, and Prasad Tetali, Limits on the efficiency of one-way permutation-based hash functions, FOCS, 1999, pp. 535–542. 1
[KSY11] Katz, Schrder, and Yerukhimovich, Impossibility of blind signatures from one-way permutations, TCC: Theory of Cryptography Conference, 2011. 1
[KvM02] Adam Klivans and Dieter van Melkebeek, Graph nonisomorphism has subexponen- tial size proofs unless the polynomial-time hierarchy collapses, SIAM J. Comput 31 (2002), no. 5, 1501–1526. 17
[Lev87] Leonid A. Levin,One-way functions and pseudorandom generators, Combinatorica7 (1987), 357–363. 1
[LHWL93] Arjen K. Lenstra and Jr. Hendrik W. Lenstra (eds.),The development of the number field sieve, Lecture Notes in Mathematics, vol. 1554, Springer-Verlag, Berlin, 1993. 1
[LTW05] Lin, Trevisan, and Wee, On hardness amplification of one-way functions, Theory of Cryptography Conference (TCC), LNCS, vol. 2, 2005. 1
[Mil76] Gary L. Miller, Riemann’s hypothesis and tests for primality, Journal of Computer and System Sciences13 (1976), no. 3, 300–317. 3
[MM11] Matsuda and Matsuura,On black-box separations among injective one-way functions, TCC: Theory of Cryptography Conference, 2011. 1
[MMV11] Mohammad Mahmoody, Tal Moran, and Salil P. Vadhan, Time-lock puzzles in the random oracle model, CRYPTO (Phillip Rogaway, ed.), Lecture Notes in Computer Science, vol. 6841, Springer, 2011, pp. 39–50. 37
[MV05] Miltersen and Vinodchandran,Derandomizing arthur-merlin games using hitting sets, CMPCMPL: Computational Complexity 14(2005). 17
[MX10] Mohammad Mahmoody and David Xiao, On the power of randomized reductions and the checkability of sat, IEEE Conference on Computational Complexity, IEEE Computer Society, 2010. 28
[Nao91] Moni Naor, Bit commitment using pseudorandomness, Journal of Cryptology 4 (1991), no. 2, 151–158, Preliminary version in CRYPTO’89. 2,12,19
[Nao03] Naor, On cryptographic assumptions and challenges, CRYPTO: Proceedings of Crypto, 2003. 18
[NOV06] Minh-Huyen Nguyen, Shien Jin Ong, and Salil Vadhan, Statistical zero-knowledge arguments for NP from any one-way function, Proceedings of the 47th Annual Sym- posium on Foundations of Computer Science (FOCS), 2006, pp. 3–14. 1
[NOVY98] Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung, Perfect zero-knowledge arguments for NP using any one-way permutation, Journal of Cryp- tology 11(1998), no. 2, 87–108, Preliminary version inCRYPTO’92. 1
[OV07] Shien Jin Ong and Salil Vadhan,Zero knowledge and soundness are symmetric, Ad- vances in Cryptology – EUROCRYPT 2007, 2007, pp. 187–209. 33
[OW93] Rafail Ostrovsky and Avi Wigderson, One-way fuctions are essential for non-trivial zero-knowledge, ISTCS, 1993, pp. 3–17. 1
[PW09] Rafael Pass and Hoeteck Wee, Black-box constructions of two-party protocols from one-way functions, TCC (Omer Reingold, ed.), Lecture Notes in Computer Science, vol. 5444, Springer, 2009, pp. 403–418. 2
[Rab80] Michael O. Rabin, Probabilistic algorithm for testing primality, Journal of Number Theory 12(1980), no. 1, 128–138. 3
[RTV04] Omer Reingold, Luca Trevisan, and Salil P. Vadhan, Notions of reducibility between cryptographic primitives., Theory of Cryptography, First Theory of Cryptography Conference, TCC 2004, Lecture Notes in Computer Science, vol. 2951, Springer, 2004, pp. 1–20. 1,7
[Rud88] Steven Rudich, Limits on the provable consequences of one-way functions, Ph.D. thesis, U.C. Berkeley, 1988. 1
[Sim98] Daniel Simon, Finding collisions on a one-way street: Can secure hash functions be based on general assumptions?, Advances in Cryptology – EUROCRYPT ’98, Lecture Notes in Computer Science, vol. 1403, Springer, 1998, pp. 334–345. 1
[Tar89] G´abor Tardos,Query complexity, or why is it difficult to seperate NP A cap co NPA from PA by random oracles A?, Combinatorica9 (1989), no. 4, 385–392. 1
[Vah10] Yevgeniy Vahlis,Two is a crowd? A black-box separation of one-wayness and security under correlated inputs, TCC (Daniele Micciancio, ed.), Lecture Notes in Computer Science, vol. 5978, Springer, 2010, pp. 165–182. 1
[Wee10] Hoeteck Wee, Black-box, round-efficient secure computation via non-malleability am-